From ec6efbd9d3dcc367c66d81aa358c1e6ac5fbc56a Mon Sep 17 00:00:00 2001 From: Michael Grosser Date: Thu, 8 Jun 2017 06:34:36 +0000 Subject: [PATCH] Introduce working example of nginx controller with rbac --- examples/rbac/nginx/README.md | 69 ++++--------------- examples/rbac/nginx/default-backend.yml | 51 ++++++++++++++ .../nginx-ingress-controller-service.yml | 16 +++++ .../rbac/nginx/nginx-ingress-controller.yml | 35 ++++++++++ 4 files changed, 115 insertions(+), 56 deletions(-) create mode 100644 examples/rbac/nginx/default-backend.yml create mode 100644 examples/rbac/nginx/nginx-ingress-controller-service.yml create mode 100644 examples/rbac/nginx/nginx-ingress-controller.yml diff --git a/examples/rbac/nginx/README.md b/examples/rbac/nginx/README.md index cea82cbe7b..ef910e07cf 100644 --- a/examples/rbac/nginx/README.md +++ b/examples/rbac/nginx/README.md @@ -1,6 +1,6 @@ # Role Based Access Control -This example demontrates how to apply role based access control +This example demontrates how to apply an nginx ingress controller with role based access control ## Overview @@ -89,28 +89,20 @@ change as well. `ClusterRoleBinding`, and `RoleBinding`. ```sh -kubectl create -f ./nginx-ingress-controller-rbac.yml +kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress/master/examples/rbac/nginx/nginx-ingress-controller-rbac.yml ``` -2. Create the nginx-ingress-controller +2. Create default backend +```sh +kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress/master/examples/rbac/nginx/default-backend.yml +``` + +3. Create the nginx-ingress-controller For this example to work, the Service must be in the nginx-ingress namespace: -```yaml -apiVersion: v1 -kind: Service -metadata: - name: nginx-ingress - namespace: nginx-ingress #match namespace of service account and role -spec: - type: LoadBalancer - ports: - - port: 80 - name: http - - port: 443 - name: https - selector: - k8s-app: nginx-ingress-lb +```sh +kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress/master/examples/rbac/nginx/nginx-ingress-controller.yml ``` The serviceAccountName associated with the containers in the deployment must @@ -118,42 +110,7 @@ match the serviceAccount from nginx-ingress-controller-rbac.yml The namespace references in the Deployment metadata, container arguments, and POD_NAMESPACE should be in the nginx-ingress namespace. -```yaml -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: nginx-ingress-controller - #match namespace of service account and role - namespace: nginx-ingress -spec: - replicas: 2 - template: - metadata: - labels: - k8s-app: nginx-ingress-lb - spec: - #match name of service account - serviceAccountName: nginx-ingress-serviceaccount - containers: - - name: nginx-ingress-controller - image: gcr.io/google_containers/nginx-ingress-controller:version - #namespace matching is required in some arguments - args: - - /nginx-ingress-controller - - --default-backend-service=default/default-http-backend - - --default-ssl-certificate=$(POD_NAMESPACE)/tls-certificate - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - #match namespace of service account and role - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - containerPort: 80 - - containerPort: 443 - +4. Create ingress service +```sh +kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress/master/examples/rbac/nginx/nginx-ingress-controller-service.yml ``` diff --git a/examples/rbac/nginx/default-backend.yml b/examples/rbac/nginx/default-backend.yml new file mode 100644 index 0000000000..31cabfc4d0 --- /dev/null +++ b/examples/rbac/nginx/default-backend.yml @@ -0,0 +1,51 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: default-http-backend + labels: + k8s-app: default-http-backend + namespace: default +spec: + replicas: 1 + template: + metadata: + labels: + k8s-app: default-http-backend + spec: + terminationGracePeriodSeconds: 60 + containers: + - name: default-http-backend + # Any image is permissable as long as: + # 1. It serves a 404 page at / + # 2. It serves 200 on a /healthz endpoint + image: gcr.io/google_containers/defaultbackend:1.0 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + initialDelaySeconds: 30 + timeoutSeconds: 5 + ports: + - containerPort: 8080 + resources: + limits: + cpu: 10m + memory: 20Mi + requests: + cpu: 10m + memory: 20Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: default-http-backend + namespace: default + labels: + k8s-app: default-http-backend +spec: + ports: + - port: 80 + targetPort: 8080 + selector: + k8s-app: default-http-backend diff --git a/examples/rbac/nginx/nginx-ingress-controller-service.yml b/examples/rbac/nginx/nginx-ingress-controller-service.yml new file mode 100644 index 0000000000..f7e303a1a4 --- /dev/null +++ b/examples/rbac/nginx/nginx-ingress-controller-service.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: nginx-ingress + namespace: nginx-ingress +spec: +# Can also use LoadBalancer type + type: NodePort + ports: + - name: http + port: 8080 + nodePort: 30080 + targetPort: 80 + protocol: TCP + selector: + k8s-app: nginx-ingress-lb diff --git a/examples/rbac/nginx/nginx-ingress-controller.yml b/examples/rbac/nginx/nginx-ingress-controller.yml new file mode 100644 index 0000000000..f355f86121 --- /dev/null +++ b/examples/rbac/nginx/nginx-ingress-controller.yml @@ -0,0 +1,35 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: nginx-ingress-controller + namespace: nginx-ingress +spec: + replicas: 2 + selector: + matchLabels: + k8s-app: nginx-ingress-lb + template: + metadata: + labels: + k8s-app: nginx-ingress-lb + spec: + serviceAccountName: nginx-ingress-serviceaccount + containers: + - name: nginx-ingress-controller + image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7 + args: + - /nginx-ingress-controller + - --default-backend-service=default/default-http-backend + - --default-ssl-certificate=$(POD_NAMESPACE)/tls-certificate + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - name: http + containerPort: 80